root / manifests / chain.pp @ 5944b9cb
Historique | Voir | Annoter | Télécharger (1,58 ko)
| 1 | 8efbdf9a | tr | # manage a chain |
|---|---|---|---|
| 2 | 11bf7237 | Steve Traylen | define nftables::chain ( |
| 3 | 31b17627 | Steve Traylen | Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/] $table = 'inet-filter', |
| 4 | Pattern[/^[a-zA-Z0-9_]+$/] $chain = $title, |
||
| 5 | Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]] $inject = undef, |
||
| 6 | Optional[String] $inject_iif = undef, |
||
| 7 | Optional[String] $inject_oif = undef, |
||
| 8 | 11bf7237 | Steve Traylen | ) {
|
| 9 | 8efbdf9a | tr | $concat_name = "nftables-${table}-chain-${chain}"
|
| 10 | |||
| 11 | 11bf7237 | Steve Traylen | concat {
|
| 12 | 8efbdf9a | tr | $concat_name: |
| 13 | 30462da1 | Steve Traylen | path => "/etc/nftables/puppet-preflight/${table}-chain-${chain}.nft",
|
| 14 | 8efbdf9a | tr | owner => root, |
| 15 | group => root, |
||
| 16 | mode => '0640', |
||
| 17 | ensure_newline => true, |
||
| 18 | require => Package['nftables'], |
||
| 19 | 11bf7237 | Steve Traylen | } ~> Exec['nft validate'] -> file {
|
| 20 | 30462da1 | Steve Traylen | "/etc/nftables/puppet/${table}-chain-${chain}.nft":
|
| 21 | 11bf7237 | Steve Traylen | ensure => file, |
| 22 | source => "/etc/nftables/puppet-preflight/${table}-chain-${chain}.nft",
|
||
| 23 | owner => root, |
||
| 24 | group => root, |
||
| 25 | mode => '0640', |
||
| 26 | 30462da1 | Steve Traylen | } ~> Service['nftables'] |
| 27 | 8efbdf9a | tr | |
| 28 | 11bf7237 | Steve Traylen | concat::fragment {
|
| 29 | 8efbdf9a | tr | default: |
| 30 | target => $concat_name; |
||
| 31 | "${concat_name}-header":
|
||
| 32 | order => '00', |
||
| 33 | e53053ce | Steve Traylen | content => "# Start of fragment order:00 ${chain} header\nchain ${chain} {";
|
| 34 | 8efbdf9a | tr | "${concat_name}-footer":
|
| 35 | order => '99', |
||
| 36 | e53053ce | Steve Traylen | content => "# Start of fragment order:99 ${chain} footer\n}";
|
| 37 | 8efbdf9a | tr | } |
| 38 | |||
| 39 | if $inject {
|
||
| 40 | $data = split($inject, '-') |
||
| 41 | af544fea | tr | $iif = $inject_iif ? {
|
| 42 | undef => '', |
||
| 43 | default => "iifname ${inject_iif} ",
|
||
| 44 | } |
||
| 45 | $oif = $inject_oif ? {
|
||
| 46 | undef => '', |
||
| 47 | default => "oifname ${inject_oif} ",
|
||
| 48 | } |
||
| 49 | 11bf7237 | Steve Traylen | nftables::rule { "${data[1]}-jump_${chain}":
|
| 50 | 8efbdf9a | tr | order => $data[0], |
| 51 | af544fea | tr | content => "${iif}${oif}jump ${chain}",
|
| 52 | 8efbdf9a | tr | } |
| 53 | } |
||
| 54 | } |